Social Engineering manipulates people into performing actions or divulging confidential information. Rather than exploiting technical vulnerabilities, attackers exploit human psychology—trust, helpfulness, fear, urgency, and authority. Techniques include pretexting (fabricated scenarios), baiting (malware-laden devices), tailgating (following through secured doors), and quid pro quo (exchanging services for information).
Social engineering bypasses technical controls entirely. The most secure systems fail when users are tricked into revealing passwords or granting access. Defense requires security awareness training, verification procedures for sensitive requests, and organizational cultures where questioning unusual requests is encouraged.
CISSP Relevance
Domain 1 (Security and Risk Management) covers social engineering as a significant threat vector. Understand common techniques, psychological principles exploited, and countermeasures including training, policies, and verification procedures. Know that social engineering testing should be part of security assessment programs.
Social engineering awareness resources are at CISA Cybersecurity Best Practices.
Related terms: Phishing, Security Awareness Training